LibTIFF tiff2pdf buffer overflow

libtiff-tiff2pdf-bo (26991)

High Risk

Description:

LibTIFF is vulnerable to a stack-based buffer overflow in the tiff2pdf module. By creating a malicious TIFF file with a DocumentName tag containing UTF-8 encoded characters, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause a denial of service, once a victim processes the malicious TIFF file.

Platforms Affected:

• Canonical, Ubuntu 5.04
• Canonical, Ubuntu 5.10
• Canonical, Ubuntu 6.06 LTS
• Debian, Debian Linux 3.0
• Debian, Debian Linux 3.1
• Gentoo, Linux
• MandrakeSoft, Mandrake Linux 2006
• MandrakeSoft, Mandrake Linux 2006 X86_64
• MandrakeSoft, Mandrake Linux LE2005 X86_64
• MandrakeSoft, Mandrake Linux LE2005
• RedHat, Enterprise Linux 4 WS
• RedHat, Enterprise Linux 4 ES
• RedHat, Enterprise Linux 4 Desktop
• RedHat, Enterprise Linux 4 AS
• Sam Leffler, LibTIFF 3.8.2
• Sun, Solaris 10 SPARC
• Sun, Solaris 10 x86
• Sun, Solaris 8 x86
• Sun, Solaris 8 SPARC
• Sun, Solaris 9 SPARC
• Sun, Solaris 9 x86

Remedy:

For Debian GNU/Linux:
Refer to DSA-1091-1 for patch, upgrade, or suggested workaround information. See References.

For Gentoo Linux:
Refer to Gentoo Linux Security Announcement GLSA 2006-07-03 for patch, upgrade, or suggested workaround information. See References.

For other distributions:
Apply the appropriate update for your system. See References.

Consequences:

Gain Access

References:

• Debian Bug report logs - #370355, libtiff-tools: tiff2pdf segfault at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=370355.
• LibTIFF Web page, LibTIFF - TIFF Library and Utilities at http://www.remotesensing.org/libtiff/.
• RemoteSensing Bugzilla Bug 1196, tiff2pdf dumps core when DocumentName contains UTF-8 at http://bugzilla.remotesensing.org/show_bug.cgi?id=1196.
• Sun Alert ID: 103099, Multiple Security Vulnerabilities in the Solaris Tag Image File Format Library libtiff(3) at http://sunsolve.sun.com/search/document.do?assetkey=1-26-103099-1.
• Sun Alert ID: 103160, Security Vulnerabilities in libtiff(3) May Allow Denial of Service (DoS) or Privilege Elevation at http://sunsolve.sun.com/search/document.do?assetkey=1-26-103160-1.
• ASA-2007-440: Multiple Security Vulnerabilities in the Solaris Tag Image File Format Library libtiff(3) (Sun 103099)
• ASA-2007-509: Security Vulnerabilities in libtiff(3) May Allow Denial of Service (DoS) or Privilege Elevation (Sun 103160)
• ASA-2008-374: libtiff security and bug fix update (RHSA-2008-0848)
• BID-18331: LibTIFF tiff2pdf Remote Buffer Overflow Vulnerability
• CVE-2006-2193: Buffer overflow in the t2p_write_pdf_string function in tiff2pdf in libtiff 3.8.2 and earlier allows attackers to cause a denial of service (crash) and possibly execute arbitrary code via a TIFF file with a DocumentName tag that contains UTF-8 characters, which triggers the overflow when a character is sign extended to an integer that produces more digits than expected in an sprintf call.
• DSA-1091: tiff -- buffer overflows
• GLSA-200607-03: libTIFF: Multiple buffer overflows
• MDKSA-2006:102: Updated libtiff packages fixes tiff2pdf vulnerability
• RHSA-2008-0848: Important: libtiff security and bug fix update
• SA20488: LibTIFF tiff2pdf Buffer Overflow Vulnerability
• SA27181: Sun Solaris libtiff Multiple Vulnerabilities
• SA27222: Sun Solaris libtiff Multiple Vulnerabilities
• SA27832: Sun Solaris libTIFF Multiple Vulnerabilities
• SUSE-SR:2006:014: SUSE Security Summary Report
• USN-289-1: tiff vulnerabilities
• VUPEN/ADV-2006-2197: LibTIFF tiff2pdf and tiffsplit File Handling Buffer Overflow Vulnerabilities
• VUPEN/ADV-2007-3486: Sun Solaris libTIFF Multiple Code Execution and Denial of Service Issues
• VUPEN/ADV-2007-4034: Sun Solaris libTIFF Multiple Code Execution and Denial of Service Issues

Reported:

Jun 04, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page